Upload
lamque
View
222
Download
1
Embed Size (px)
Citation preview
Information Security Assurance Plan 2015/16
Policy number: N/A
Version 2.0
Approved by Information Governance Sub-Committee
Name of author/originator Daniel Lo Russo, Information Governance Manager
Owner (Exec Director) Elaine Newton, Director of Governance & Compliance/SIRO
Date of approval August 2015
Date of last review July 2015
Next due for review April 2016 for approval following release of Version 14 CCG IG Toolkit (expected June 2016)
Information Security Assurance Plan 2015/16 2
Version control sheet
Version Date Author Status Comment
1.0 March 2014 Daniel Lo Russo
Draft Draft for Q&CGC approval
1.1 March 2014 Daniel Lo Russo
Approved Approved by Quality & Clinical Governance Committee
1.2 March 2014 Daniel Lo Russo
Final Front sheet added
2.0 July 2015 Daniel Lo Russo
Draft Draft for IG Sub-Committee approval
2.0 TBC Daniel Lo Russo
Final Approved by IG Sub-Committee
Related Documents
Name
Information Governance Framework
Confidentiality & Data Protection Policy
Information Security Policy
Records Management Policy
2015/16 Caldicott Function Assurance Plan
Information Security Assurance Plan 2015/16 3
Information Security Assurance Plan
Introduction This work programme is designed to support the Information Security Policy, and describes how NHS Guildford and Waverley CCG can obtain assurance to address its Information Security needs (as required by the IG Toolkit Requirement 13-300 series). Information and information systems are important assets and it is essential that the CCG takes all necessary measures to ensure that they are protected, available and accurate to support the operations of the business at all times. The aim of the CCG’s Information Security Policy and individual System Level Security Policies and Risk Assessments is to maintain the confidentiality, integrity and availability of the information stored, processed and communicated by and within the CCG. This assurance plan outlines roles and responsibilities for managing Information Security, Information Security Incidents, and controls. It details the activities the CCG will undertake to provide assurance regarding its level of compliance with Information Security Assurance related requirements of the CCG IG Toolkit. It also details how the CCG will seek assurance with respect to ICT services provided by the South East Commissioning Support Unit (CSU). The Information Security Assurance Plan therefore includes two separate but related elements: 1. Local Information Security Assurance Plan 2. Assurance Plan for ICT Services provided by South East CSU
Actions identified in the Assurance Plan will be included within the annual Information Governance Improvement Programme. Information Security Management Responsibilities Responsibility for managing Information Security within the CCG rests with all employees and the following key officers:
SIRO (Senior Information Risk Owner)
Information Security Officer (Information Governance Manager)
Information Asset Owners (IAOs)
Details of specific roles and responsibilities are included within the CCG’s Information Security Policy. Responsibilities for managing Information Security within the CSU are defined within the South East CSU’s ICT Security Policy and Application Security Policy. These are available to CCG staff via the CSU’s website (over N3 network only) or by request to the CCG’s IG Manager. Every CCG staff member and contractor is responsible for processing personal data, sensitive personal data and sensitive corporate data in a secure manner.
Approval, Monitoring & Reporting
This plan will be approved by the IG Sub-Committee of the CCG’s Quality & Clinical Governance Committee, which includes the SIRO;
Information Security Assurance Plan 2015/16 4
Exception reports against this Assurance Plan will be provided at regular review meetings between the CCG’s SIRO and Information Governance Manager;
Exception reports against this Assurance Plan will be provided at each meeting of the IG Sub-Committee (IGSC) of the CCG’s Quality & Clinical Governance Committee,
Reports against this Assurance Plan and will be used to support IGSC approval of submission of the CCG’s annual IG Toolkit assessment
An annual summary report will be provided to the CCG’s Governing Body.
The effectiveness of the Assurance Plan and related functions/roles will be reviewed annually as part of the CCG’s IG Improvement Programme;
The IG Sub-Committee of the CCG’s Quality & Clinical Governance Committee will review and approve a 2016/17 Information Security Assurance Plan following publication of 2015/16 CCG IG Tool-kit requirements (expected June 2016).
Abbreviations Used in Assurance Plan
CSU – Commissioning Support Unit
DR&BC – Disaster Recovery & Business Continuity
IA – Information Asset
IAO - Information Asset Owner
ICT – Information Communication Technology
PIA – Privacy Impact Assessment
Information Security Assurance Plan 2015/16 5
Section 1 – Local Information Security Assurance Plan Please see the CCG’s 2015/16 IG Improvement Plan for details of the current scheduling of activities detailed below.
Control IGT
(v13) Req.
Assurance Activity/Monitoring Q1 Further Action Req. Q2-4 Responsible
Information Security Framework
131 340
There is an appropriate Information Security Framework in place.
Review of IG & Information Security related policies in progress.
IGSC approval of updated Information Security policy.
IG Manager
131 340 341
Independent assurance regarding ICT risk management
Independent audit of ICT risk management completed – outcome: Substantial Assurance.
Information Security IGT measures included within 15/16 IGT audit sample.
IG Manager
Staff Awareness & Training
134 Over 95% staff completion of mandatory IG Training
Training of new staff. See Key Performance Indicators reports.
Refresher training for existing staff.
IG Manager
345 SIRO and IAO training Training Needs Analysis reviewed.
Mandatory training to be completed. Explore additional local training.
IG Manager
349 IA Incident reporting training Review of new HSCIC guidance
Development of new IG Incident Reporting Procures and evidence of staff understanding
IG Manager
IG related contract clauses in place with third parties
132 341 351
Appropriate IG clauses are in place for all staff, contractors and third parties
Discussions with project and contract managers regarding IG requirements for new contracts
Assurance that appropriate compliance with IG related requirements has been received from third parties
Directors of Contracts
Structured Implementation and InfoSec Accreditation
237 All services and information assets are developed to comply with Information Security requirements
Advice and guidance to CCG staff developing new services and information assets.
Information asset review programme to be completed. Input to OD Programme to ensure IG needs reflected.
IG Manager
Information Asset Register
340 341 345
Inc all key/critical local information assets including sensitive or personal data
None Update following completion of Risk Assessments & SLSPs
IG Manager
Information Security Assurance Plan 2015/16 6
Control IGT
(v13) Req.
Assurance Activity/Monitoring Q1 Further Action Req. Q2-4 Responsible
345 351
Confirms IA Risk Assessments completed
None Update following completion of Risk Assessments & SLSPs
IG Manager
237 344
Confirms Access Controls None Update following completion of Risk Assessments & SLSPs
IG Manager
346 Confirms DR&BC Plans None
344 Confirms System Level Security Policies
None
Data Flow Mapping
350 236
Mapping of data flows for all business units
Safeguarding sessions being organised currently
Data flow mapping exercise refresh
IG Manager
350 351
Risk assessment of data flows
None
350 351
SIRO's review of data flow mapping outcomes
None
351 250
Information sharing/data processor agreements
LAC & ICP Information Sharing Agreements in progress
Register of ISAs maintained and regularly reviewed
IG Manager
235 348 351
Compliance with email policy
Guidance being updated and non-NHS email accounts being closed by CSU.
Staff evidence read and understood guidance.
IG Manager
235 348 351
Robust encryption methods used for transfers of sensitive/personal data
Staff guidance being updated. Data flow mapping exercise refresh
IG Manager
235 348 351
Use of mobile memory media
Use of encrypted USB sticks by CCG staff
Review staff use of personal iPhones and use of iPads for Board Papers etc.
IG Manager
Information Risk Management
235 341 345
Risk Assessment of existing, new and proposed local Information Assets.
Complete for high risk assets (quarterly reviews)
Review and update risk assessments and System Level Security Policies at required frequency.
IG Manager
344 System level security policies established for existing, new and proposed local key/critical Info Assets.
Complete for high risk assets (quarterly reviews)
IG Manager
Information Security Assurance Plan 2015/16 7
Control IGT
(v13) Req.
Assurance Activity/Monitoring Q1 Further Action Req. Q2-4 Responsible
Information Risk Management (cont)
346 Team level BC&DR plans include access to key/critical IAs
None Development and testing of team level BC&DR Plans
Deputy Director G&C
235 237
Privacy Impact Assessments (PIAs) undertaken for new services
PIAs completed for LAC work and Integrated Care (in progress)
Complete PIAs as required. Take forward as part of CCG OD Programme.
IG Manager
341 351
Physical Protection of Premises/equipment
None Arrange for physical penetration testing to take place by 3rd party
IG Manager
237 344 347 348
Monitoring of ICT services delivered by 3rd party organisations
See Section 2 – Assurance Plan for ICT Services Provided by South East CSU. Meeting held with CSU Account Manager and ICT Lead
Various assurance and supporting evidence. See section 2 – Assurance Plan for ICT Services Provided by South East CSU
IG Manager
134 231
Staff IG Survey to be undertaken
None Develop questions and methodology
IG Manager
ICT Network Usage
235 350
Acceptable Usage of email system
Staff guidance in development. NHS.net upgrade underway.
Explore NHS.net mailbox reporting with HSCIC
IG Manager
235 350
Acceptable Usage of internet
Implementation of proxy server.
Move all staff to proxy and receive regular reports from CSU.
IG Manager
NHS Smart Card Usage
342 CCG Registration Authority policy and procedures in place
Policy and procedures in place.
Review following receipt of CSU updated RA Policy.
IG Manager
343 CCG to ensure adequate governance over the issuing/use of NHS Smartcards
Q1 reports from CSU Registration Authority and reviewed by CCG sponsors.
Receive and review reports Q2 - 4.
CGSM Manager
NHS Number Usage
421 There is consistent and comprehensive use of the NHS Number in line with NHS requirements
Development of Accredited Safe Haven (ASH) outline business case for IGSC and EMT review.
Include NHS Number use review within 2015/16 Information Asset Review Programme.
IG Manager
Information Security Assurance Plan 2015/16 8
Control IGT
(v13) Req.
Assurance Activity/Monitoring Q1 Further Action Req. Q2-4 Responsible
IG Incident Management
349 Robust incident reporting arrangements in place
Monitoring and reporting of IG related incidents in accordance with CCG procedures.
CCG incident reporting procedures updated to reflect latest HSCIC Guidance.
IG Manager
235 349
Monitoring of IG related incident trends
Monitoring and reporting of IG related incidents in accordance with CCG procedures.
Undertake trend analysis of incidents
IG Manager
134 Staff awareness and compliance with incident reporting procedures
E-brief reminder and incident form circulated.
Audit of incident records to be undertaken.
IG Manager
User Access Control
235 343 344
Robust registrations & leavers process in place
Guidance issued via E-brief. HR review of processes in place.
Audits of records held by CCG and CSU.
IG Manager
Mobile Computing
348 Robust encryption in place on laptops.
Raised concerns to CSU Assurance from CSU IG Manager
348 Equipment held by authorised individuals only
Records held of authorisations Audits of records held by CCG and CSU.
IG Manager
Pseudo. and Anonymisation
236 352
Robust pseudonymisation and/or anonymisation is undertaken
Provided under SLA with CSU. Assurance statement from CSU.
Head of Information
Please see below for Section 2 – Assurance Plan for ICT Services Provided by South East CSU
Information Security Assurance Plan 2015/16 9
Section 2 – Assurance Plan for ICT Services Provided by South East CSU Please see the CCG’s 2015/16 IG Improvement Plan for details of the current scheduling of activities detailed below.
Control IGT
(v13) Req.
Assurance Activity/Monitoring Q1 Further Action Req. Q2-4 Responsible
Contracts are monitored and assurance gained in respect of compliance with IG requirements
132 Assurance required in respect of compliance with IG requirements
Review of CSU 14/15 IGT Return Copy of CSU's final 2014/15 IGT Independent Audit Report
IG Manager
Meeting with CSU Account Manager and ICT Lead
In year assurance regarding 15/16 IGT score for CSU, copies of NHS England’s Reports on Internal Controls in place at SECSU, and copy of CSU's draft 2015/16 IGT Independent Audit Report
IG Manager
Assurance regarding individuals with access to CCG confidential data
133 Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation
Details of required assurance provided to CSU Account Manager and ICT Lead
Assurance statement regarding suitable IG clauses being in place for any CSU staff who may access CCG personal data (e.g. ICT staff)
IG Manager
CCG confidentiality checks
235 Staff access to confidential personal information is monitored and audited. Where care records are held electronically, audit trail
As above. Report showing usage of removable media devices (USBs etc) used to remove data from CCG electronic filing system
IG Manager
Information Security Assurance Plan 2015/16 10
Control IGT
(v13) Req.
Assurance Activity/Monitoring Q1 Further Action Req. Q2-4 Responsible
details about access to a record can be made available to the individual concerned on request.
As above. Confirmation that all non-NHS.net email accounts for GWCCG users have now been deleted
IG Manager
As above. Assurance statement or independent audit report confirmation regarding confidentiality audits for CSU systems holding CCG confidential data undertaken during 15/16
IG Manager
Information Risk Management
340 The work necessary to provide Information Security Assurance has been identified
Informed CSU that current version of CSU’s IS Assurance Plan available to CCG is out of date.
Updated CSU IS Assurance Plan for review.
IG Manager
341 An Information Risk Assessment and Management Programme has been documented along with associated strategies, policies and procedures, linked to the organisation's corporate risk register
As above. As above. IG Manager
There are established business
342 All CSU RA staff have received the mandated national training.
Details of required assurance provided to CSU Account Manager and ICT Lead
Assurance regarding CSU RA Staff Training completion
IG Manager
Information Security Assurance Plan 2015/16 11
Control IGT
(v13) Req.
Assurance Activity/Monitoring Q1 Further Action Req. Q2-4 Responsible
processes and procedures that satisfy the organisation’s obligations as a Registration Authority (RA)
RBAC implementation at Registration Authorities
Details of required assurance provided to CSU Account Manager and ICT Lead
Assurance regarding RBAC fully implemented.
IG Manager
CSU RA service capacity As above. Assurance regarding RA consumables etc
IG Manager
343 CSU have robust RA policy in place
Informed CSU that current version available to CCG is out of date.
Updated CSU Registration Authority Policy for review.
IG Manager
Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use
Q1 report received from CSU and reviewed by CCG Sponsors/Line Managers. Closure of access no longer required.
Quarterly reports showing current CCG Smartcard users
IG Manager
Q1 report received from CSU and reviewed by CCG. All current used have electronically signed their terms and conditions.
Audit report on the outcome of checking that all CCG NHS Smartcard users have electronically signed their terms and conditions
IG Manager
ICT Application Assurance
344 Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems
Details of required assurance provided to CSU Account Manager and ICT Lead
Standard CCG desktop and laptop image build (including common and technical applications) and specific builds for roles (Info Team, Comms Team) to be agreed.
IG Manager
Information Security Assurance Plan 2015/16 12
Control IGT
(v13) Req.
Assurance Activity/Monitoring Q1 Further Action Req. Q2-4 Responsible
As above. Details of required assurance provided to CSU Account Manager and ICT Lead
ICT Network reports on password strength settings and number of failed login attempts for GWCCG staff members
IG Manager
There are appropriate user access management procedures (including user registration, update and deregistration processes), technical functionality and management controls for all key information assets identified in the organisations asset register.
Details of required assurance provided to CSU Account Manager and ICT Lead
Reports showing CCG Account Directory accounts (including details date opened, approver and date closed)
IG Manager
As above. Report showing G&WCCG Account Directory Accounts Inactive for 2 or more weeks
IG Manager
Access to information assets is only possible for individuals who have been duly authorised
Details of required assurance provided to CSU Account Manager and ICT Lead
Examples of ICT Network access logs for G&WCCG users (e.g. 2 week period)
IG Manager
As above. Penetration Testing results for ICT network utilised by CCG (COIN)
IG Manager
SIRO Assurance
345 An effectively supported Senior Information Risk Owner takes ownership of the organisation’s information risk policy and information risk management strategy
Details of required assurance provided to CSU Account Manager and ICT Lead
CSU Information Security Policy to check alignment with CCG policy
IG Manager
Information Security Assurance Plan 2015/16 13
Control IGT
(v13) Req.
Assurance Activity/Monitoring Q1 Further Action Req. Q2-4 Responsible
Business Continuity Plan
346 Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place
Assurance regarding BCDR arrangements for services provided to CCG under SLA and testing of these during 15/16
IG Manager
ICT Network Assurance
347 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely
Details of required assurance provided to CSU Account Manager and ICT Lead
Assurance regarding Surrey Community of Interest Network (COIN) utilised by CCG & COIN Stakeholder Group updates and Risk Assessments
IG Manager
Installation of proxy server and some CCG users moved to test environment.
Take forward proxy server configuration and roll out to all users.
IG Manager
Details of required assurance provided to CSU Account Manager and ICT Lead
Reports to support acceptable usage of internet monitoring by CCG
IG Manager
Mobile computing and teleworking assurance
348 Policy and procedures ensure that mobile computing and teleworking are secure
Details of required assurance provided to CSU Account Manager and ICT Lead
Report on RAS Accounts (including details date opened, approver and date closed)
IG Manager
As above. Reports showing devices (phones, ipads and laptops) on network being utilised by CCG staff
IG Manager
Information Security Assurance Plan 2015/16 14
Control IGT
(v13) Req.
Assurance Activity/Monitoring Q1 Further Action Req. Q2-4 Responsible
As above. Assurance that attached VPN solution diagram remains correct and has been penetration tested in 15/15
IG Manager
As above. Assurance regarding encryption system in place on Surrey CCG laptops
IG Manager
Incident Reporting
349 Adherence with NHS incident management and reporting procedures
Details of required assurance provided to CSU Account Manager and ICT Lead
Assurance that CSU has not experienced any data loss incidents (inc near misses) relating to GWCCG confidential business data (inc PID)
IG Manager
Data Flow Mapping
236 All transfers of CCG personal data to countries outside of the UK fully comply with the Data Protection Act 1998 and DH guidelines. Where the review of overseas transfers reveals that appropriate contracts are not already in place for existing transfers, the organisation ensures that new contractual arrangements are signed.
Details of required assurance provided to CSU Account Manager and ICT Lead
Statement confirming whether the CSU transfer/process any G&W CCG data outside UK/EEA and, if so, statement confirming that all transfers of personal data to countries outside of the UK fully comply with the Data Protection Act 1998 and DH guidelines.
IG Manager
Information Security Assurance Plan 2015/16 15
Control IGT
(v13) Req.
Assurance Activity/Monitoring Q1 Further Action Req. Q2-4 Responsible
350 All transfers of hardcopy and digital personal and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers
As above. Assurance regarding processing of GWCCG data by CSU
IG Manager
Technical Controls Assurance
351 All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures
Details of required assurance provided to CSU Account Manager and ICT Lead
Assurance regarding penetration testing of ICT Network utilised by CCG
IG Manager
As above. Assurance regarding encryption system in place on Surrey CCG laptops and penetration testing of VPN
IG Manager
Pseudo. and anonymisation assurance
352 The confidentiality of CCG service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate
Details of required assurance provided to CSU Account Manager and ICT Lead
Assurance regarding processing of GWCCG data by CSU
Head of Information
Records Management Assurance
420 The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience
Details of required assurance provided to CSU Account Manager and ICT Lead
Reports on corporate X Drive Usage (to include no of folders, destination/no of files, file type, file size etc)
IG Manager
As above. Reports on staff personal Z Drive Usage (to include no of folders/no of files, file type, file size etc)
IG Manager
Information Security Assurance Plan 2015/16 16
Control IGT
(v13) Req.
Assurance Activity/Monitoring Q1 Further Action Req. Q2-4 Responsible
NHS Number Assurance
421 There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements
Details of required assurance provided to CSU Account Manager and ICT Lead
Confirmation that CSU have NHS Number plan in place
IG Manager